Method, device, and system for deriving keys

ABSTRACT

Method, device, and system for deriving keys are provided in the field of mobile communications technologies. The method for deriving keys may be used, for example, in a handover process of a User Equipment (UE) from an Evolved Universal Terrestrial Radio Access Network (EUTRAN) to a Universal Terrestrial Radio Access Network (UTRAN). If a failure occurred in a first handover, the method ensures that the key derived by a source Mobility Management Entity (MME) for a second handover process of the UE is different from the key derived for the first handover process of the UE. This is done by changing input parameters used in the key derivation, so as to prevent the situation in the prior art that once the key used on one Radio Network Controller (RNC) is obtained, the keys on other RNCs can be derived accordingly, thereby enhancing the network security.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of International Application NoPCT/CN2010/074559, filed on Jun. 26, 2010, which claims priority toChinese Patent Application No. 200910148423.7, filed on Jun. 26, 2009,both of which are hereby incorporated by reference in their entireties.

FIELD OF THE INVENTION

The present invention relates to the field of communicationstechnologies, and in particular, to a method, device, and system forderiving keys.

BACKGROUND OF THE INVENTION

A mobile communication system includes a radio access network. Examplesof the radio access network include second generation mobilecommunication network, third generation mobile communication network,and Long Term Evolution (LTE) communication network.

When a User Equipment (UE) is handed over from a source network wherethe UE originally locates to a target network, a key of the targetnetwork may be derived from a key of the source network, therebyavoiding a process of authentication and key negotiation. As such, theUE and the target network each generates, through the same key parameterand algorithm, the key eventually used in the target network.

In a Universal Terrestrial Radio Access Network (UTRAN), the process ofauthentication and key negotiation generates a Ciphering Key (CK) and anIntegrity Key (IK); and in an Evolved UTRAN (EUTRAN), the process ofauthentication and key negotiation generates a root key (Kasme).

Taking the handover of a UE from the EUTRAN to the UTRAN as an example,a base station (BS) originally serving the UE in the EUTRAN (referred toas a source BS below) initiates a network handover process; a MobilityManagement Entity (MME) associated with the source BS (referred to as asource MME below), derives a key CK′ ∥ IK′ of the UE in the targetnetwork according to a Key Derivation Function (KDF), an input parameter(i.e. a root key Kasme), and a Non-Access Stratum (NAS) downlink COUNTvalue in the current security context, and sends the derived key to thetarget UTRAN. The target network decides a security algorithm for the UEand returns the security algorithm to the UE. The UE synchronizes thekey with the target network side according to the security algorithm.

In the above handover process of the UE from the EUTRAN to the UTRAN,the handover of the UE to the UTRAN may fail due to the failure of theconnection of an air interface radio link, so that the UE is returned tothe EUTRAN. The UE initiates a link reestablishment process to the BScurrently serving the UE, that is, the BS where the UE currently locates(referred to as a current BS below) and after deciding to perform ahandover, the current BS initiates a second handover process. In thiscase, the key derivation on the MME in the second handover process andthe key derivation on the MME in the first handover process are bothperformed according to the root key Kasme and the current NAS downlinkCOUNT value, and therefore the calculated key CK′ ∥ IK′ is the same.Further, the keys obtained during the handovers by several Radio NetworkControllers (RNC) in a UMTS network through a target Serving GPRSSupport Node (SGSN) may be the same. Once a key used on one RNC isobtained, keys on other RNCs can be derived accordingly, resulting in anetwork security risk.

SUMMARY OF THE INVENTION

The present invention is directed to, when a user equipment is handedover from a source radio access network to a target radio accessnetwork, a method, a device, and a system for deriving a key for use inthe target radio access network. The invention enhances the networksecurity.

An embodiment of the present invention provides a key derivation method.The method includes:

generating a random value;

using the random value and a root key as input parameters of a keyderivation function (KDF) to derive a key for a user equipment (UE) in atarget radio access network; or using the random value, a current NASdownlink COUNT value, and the root key as input parameters of the KDF toderive the key for the UE in the target radio access network.

Another embodiment of the present invention provides a key derivationmethod. The method includes:

receiving, by a UE, a Handover Command message;

if the Handover Command message includes a random value, using therandom value and a root key as input parameters of a KDF to derive a keyfor the UE in a target radio access network ; and

if the Handover Command message includes the random value and a currentNAS downlink COUNT value, using the random value, the current NASdownlink COUNT value, and the root key as input parameters of the KDF toderive the key for the UE in the target radio access network .

A further embodiment of the present invention provides a key derivationmethod. The method includes:

obtaining a new NAS downlink COUNT value;

deriving a key for a UE in a target radio access network according to aKDF, a root key, and the new NAS downlink COUNT value; and

sending the new NAS downlink COUNT value to the UE, so that the UEderives a same key for use in the target radio access network.

Yet another embodiment of the present invention provides a keyderivation method. The method includes:

receiving, by a UE, a Handover Command message, in which the HandoverCommand message includes a new NAS downlink COUNT value; and

deriving a key of the UE for use in a target radio access networkaccording to a KDF, a root key, and the new NAS downlink COUNT value.

Yet a further embodiment of the present invention provides a keyderivation method. The method includes:

receiving a Handover Required message, in which the Handover Requiredmessage includes a fresh value of a UE;

using the fresh value of the UE and a root key as input parameters of aKDF to derive a key of the UE for use in a target radio access network;or

using the fresh value of the UE, a current NAS downlink COUNT value, andthe root key as input parameters of the KDF to derive the key of the UEfor use in the target radio access network.

An embodiment of the present invention provides a key derivation method.The method includes:

sending, by a UE, a Radio Resource Control (RRC) ConnectionReestablishment Request message, in which the RRC ConnectionReestablishment Request message includes a fresh value of the UE;

using the fresh value of the UE and a root key as input parameters of aKDF to derive a key of the UE for use in a target radio access networkwhen receiving a Handover Command message sent by a BS; and

using the fresh value of the UE, a current NAS downlink COUNT value, andthe root key as input parameters of the KDF to derive the key of the UEin the target radio access network if the Handover Command messageincludes the current NAS downlink COUNT value.

An embodiment of the present invention provides an MME. The MMEincludes:

a generating unit, configured to generate a random value; and

a deriving unit, configured to use a root key and the random valuegenerated by the generating unit as input parameters of a KDF to derivea key of a UE for use in a target radio access network; or use therandom value, a current NAS downlink COUNT value, and the root key asthe input parameters of the KDF to derive the key of the UE for use inthe target radio access network.

An embodiment of the present invention provides a UE, where the UEincludes:

a message receiving unit, configured to receive a Handover Commandmessage;

a key deriving unit, configured to use a random value and a root key asinput parameters of a KDF to derive a key of the UE in a target radioaccess network if the Handover Command message received by the messagereceiving unit includes the random value; and

configured to use the random value, a current NAS downlink COUNT value,and the root key as input parameters of the KDF to derive the key of theUE in the target radio access network if the Handover Command messagereceived by the message receiving unit includes the random value and thecurrent NAS downlink COUNT value.

An embodiment of the present invention provides an MME, where the MMEincludes:

a count value obtaining unit, configured to obtain a new NAS downlinkCOUNT value;

a second deriving unit, configured to derive a key of a UE in a targetradio access network according to a KDF, a root key, and the new NASdownlink COUNT value obtained by the count value obtaining unit; and

a handover sending unit, configured to send the new NAS downlink COUNTvalue obtained by the count value obtaining unit to the UE, so that theUE derives the key in the target radio access network.

An embodiment of the present invention provides a UE, where the UEincludes:

a second message receiving unit, configured to receive a HandoverCommand message, in which the Handover Command message includes a newNAS downlink COUNT value; and

a second key deriving unit, configured to derive a key of the UE in atarget radio access network according to a KDF, a root key, and the newNAS downlink COUNT value in the Handover Command message received by thesecond message receiving unit.

An embodiment of the present invention provides a communication system,where the communication system includes any one of the above MMEs.

The key derivation method, device, and system according to theembodiments of the present invention are applicable to the handoverprocess of the UE from a source radio access network to a target radioaccess network, and particularly to the handover process from the EUTRANto the UTRAN. In the case of failure of the first handover to the secondhandover, it is guaranteed that the key derived on the source MME in thefirst handover process of the UE is different from the key derived onthe MME in the second handover process of the UE through changing theinput parameters used in the key derivation, such as generating therandom value, changing the current NAS downlink COUNT value, andobtaining the fresh value of the UE, so as to prevent the situation inthe prior art that once the key used on one RNC is obtained, the keys onother RNCs can be derived accordingly, thereby enhancing the networksecurity.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flowchart of a key derivation method according to anembodiment of the present invention;

FIG. 2 is a flowchart of a key derivation method according to MethodEmbodiment 1 of the present invention;

FIG. 3 is a flowchart of a key derivation method according to MethodEmbodiment 2 of the present invention;

FIG. 4 is a flowchart of a key derivation method according to MethodEmbodiment 3 of the present invention;

FIG. 5 is a flowchart of a key derivation method according to MethodEmbodiment 4 of the present invention;

FIG. 6 is a flowchart of a key derivation method according to MethodEmbodiment 5 of the present invention;

FIG. 7 is a block diagram of a logic structure of an MME according toDevice Embodiment 1 of the present invention;

FIG. 8 is a block diagram of a logic structure of a UE according toDevice Embodiment 2 of the present invention;

FIG. 9 is a block diagram of a logic structure of an MME according toDevice Embodiment 3 of the present invention;

FIG. 10 is a block diagram of a logic structure of a UE according toDevice Embodiment 4 of the present invention;

FIG. 11 is a block diagram of a logic structure of an MME according toDevice Embodiment 5 of the present invention;

FIG. 12 is a block diagram of a logic structure of a BS according toDevice Embodiment 6 of the present invention;

FIG. 13 is a block diagram of a logic structure of a UE according toDevice Embodiment 7 of the present invention; and

FIG. 14 is a block diagram of a logic structure of an MME according toDevice Embodiment 8 of the present invention.

DETAILED DESCRIPTION

The embodiments of the present invention are applicable to the handoverprocess of a UE from an EUTRAN to a UTRAN. The following method is usedto enhance the network security in the embodiments of the presentinvention: an NAS downlink COUNT value used when key derivation isperformed on a source MME during a first handover process of the UE isdifferent from the NAS downlink COUNT value used when key derivation isperformed on the MME during a second handover process of the UE, so thatthe keys generated during each handover process of the UE from theEUTRAN to the UTRAN are different, and the keys of the UE used on theRNC and SGSN in the target network are thus different. Therefore, thesituation in the prior art that once the key used on one RNC isobtained, the keys used on other RNCs can be derived accordingly isavoided, thereby enhancing the network security.

Referring to FIG. 1, an embodiment of the present invention provides akey derivation method, where the method includes the following steps:

Step 10: An MME generates a random value.

Step 20: The MME uses the random value and a root key as inputparameters of a KDF to derive a key of a UE in a target UTRAN; or usesthe random value, a current NAS downlink COUNT value, and the root keyas input parameters of the KDF to derive the key of the UE in the targetUTRAN.

For better understanding, the method, device, and system for deriving akey according to the embodiments of the present invention are describedbelow through a specific network handover process.

Method Embodiment 1

A key derivation method is provided. An application scenario of thisembodiment is a handover process of a UE from an EUTRAN to a UTRAN. Aflowchart of the method according to this embodiment is shown in FIG. 2,which includes the flowing steps:

Step 101: A BS where a UE currently locates, namely a current BS, sendsa “Handover Required” message to an MME associated with the current BS,namely a current MME.

Step 102: The current MME receives the Handover Required message,generates a random value, and uses the random value and a root key asinput parameters of a KDF to derive a key of the UE in a target UTRAN.

It can be understood that the current MME may generate a random value atany time when receiving the Handover Required message. The random value,i.e. a fresh value of the MME, may be generated by an internal randomnumber generating module of the MME.

The specific description of a KDF is that KDF=Hash Function(HMAC)-SHA-256(Key, S), in which Key is an input function, and S=FC ∥ P0∥ L0 ∥ P1 ∥ L1 ∥ P2 ∥ L2 ∥ P3 ∥ L3 ∥ . . . ∥Pn ∥ Ln, where ∥ representsconcatenation, FC is used to distinguish different KDFs, P is a code ofthe input parameter, and L is the length of the input parametercorresponding to P. When the KDF is employed to derive a key CK′ ∥ IK′,the CK′ ∥ IK′=KDF(KASME, S), and S=FC ∥ P0 ∥ L0, where FC isspecifically 0×16, P0 is an NAS downlink COUNT value, and L0 is thelength of the NAS downlink COUNT value (such as 0×00 0×04).

When deriving the key in this embodiment, the current MME may use thefresh value of the MME and the root key as the input parameters of theKDF to derive the key of the UE in the target UTRAN. In this case, thekey CK′ ∥ IK′=KDF(Kasme, S), where S=FC ∥ fresh value of MME ∥ length offresh value of MME.

Step 103: The current MME sends a Relocation Request message to a targetRNC through a target SGSN, in which the Relocation Request messageincludes the key of the UE in the target UTRAN calculated in step 102, acorresponding KSI, and information such as a security capability of theUE in the UTRAN or GSM/EDGE Radio Access Network (GERAN).

Step 104: The target RNC sends a Forward Relocation Response message tothe current MME through the target SGSN, in which the Forward RelocationResponse message carries an algorithm identifier (ID) selected by thetarget RNC according to the security capability of the UE.

Step 105: The current MME sends the random value obtained in step 102 tothe UE through a Handover Command message.

It can be understood that the MME may send the Handover Command messageto the BS, in which the Handover Command message may include thegenerated random value, and further include information such as thealgorithm ID and the current NAS downlink COUNT value; and the BS thensends information such as the random value, the current NAS downlinkCOUNT value, and the algorithm ID included in the Handover Commandmessage to the UE through an “handover from EUTRAN” (HO from EUTRAN)command message.

Step 106: The UE receives the Handover Command message, derives the keyaccording to the random value through the method in the above step 102,therefore achieving the synchronization of the key between the UE andthe target network, and sends an HO Complete message to the target RNCto complete the network handover. It can be understood that the UE maycalculate the specific CK′ or IK′ according to the algorithm ID.

It should be noted that in the first handover process of the UE to theUTRAN, the source MME may apply the key derivation method used in thenetwork handover of this embodiment; and after the failure of the firsthandover of the UE, the MME may also apply the key derivation method ofthis embodiment to derive the key in the second handover of the UE.

In another instance, when performing the key derivation in step 102, theMME may use the random value, the current NAS downlink COUNT value, andthe root key as the input parameters of the KDF to derive the key of theUE in the target UTRAN. In this case, the key CK′ ∥ IK′=KDF(Kasme, S),where S=FC ∥ P0 ∥ L0 ∥ fresh value of MME ∥ length of fresh value ofMME. Then, in step 105, the MME sends the Handover Command messageincluding the random value and the current NAS downlink COUNT value tothe UE, and only four least significant bits of the current NAS downlinkCOUNT value may be included herein. Thereby, in step 106, the UE derivesthe key according to the random value and the current NAS downlink COUNTvalue by using the method in step 102.

In other instances, in the first handover of the UE, the source MME maysave the key after deriving the key; and when the first handover of theUE succeeds, the saved key may be deleted. The source MME receives aForward Relocation Complete message sent by the target SGSN after the UEsends the HO Complete message, which indicates that the first handoveris successful. After receiving the Handover Required message, the MMEdetermines whether the key of the UE in the target UTRAN is currentlysaved; if yes, the MME further determines whether the NAS downlink COUNTvalue corresponding to the currently saved key of the UE in the targetUTRAN is consistent with the current NAS downlink COUNT value; and ifconsistent, the MME obtains a random value. When the MME determines thatthe key of the UE in the target UTRAN is not currently saved, a randomvalue is obtained by using the method of this embodiment, and then thederivation is performed; and if the above consistency determinationresult is inconsistent, the derivation is performed by using the currentderivation method.

It can be understood that in the second handover of the UE after thefirst handover of the UE fails and before the MME receives the HandoverRequired message again, an NAS process may be performed, and the NASdownlink COUNT value changes, so that when the above determinationresult is inconsistent, the MME may use the current NAS downlink COUNTvalue to derive the key, and the key derived in this manner is differentfrom the key derived in the first handover; if the determination resultis positive, a random value is obtained.

In the embodiment of the present invention, the key derivation methodused in the handover of the UE from the EUTRAN to the UTRAN is that:when receiving the Handover Required message, the MME generates a randomvalue, and derives the key of the UE in the target UTRAN according tothe KDF, the root key, and the random value. In this case, the keyderived in the second handover process after the failure of the firsthandover of the UE is surely different from the key derived in the firsthandover process, therefore avoiding the situation in the prior art andenhancing the network security.

Method Embodiment 2

A network handover method is provided. An application scenario of thisembodiment is that in the handover process of a UE from an EUTRAN to aUTRAN, after a first handover of the UE fails, the UE returns to theoriginal EUTRAN and selects an SGSN for a second handover. A flowchartof the method according to this embodiment is shown in FIG. 3. Themethod includes the following steps:

Step 201: The UE sends an RRC Connection Reestablishment Request messageto a source BS, and performs an RRC connection reestablishment process.

It can be understood that after the first handover fails, the UE mayreturn to a different cell under the source BS, or return to the samecell under the source BS, or return to a BS different from the sourceBS. In this embodiment, an example of the UE returning to the same cellunder the source BS is used for illustration.

Step 202: After the RRC connection is reestablished, the source BS sendsa Handover Required message to a source MME.

Step 203: The source MME receives the Handover Required message, andobtains a new NAS downlink COUNT value, in which the new NAS downlinkCOUNT value is different from a current NAS downlink COUNT value.

When obtaining the new NAS downlink COUNT value, the source MME mayobtain the new NAS downlink COUNT value in following way:

adding a certain value to the current NAS downlink COUNT value, such asadding 1; or

sending an NAS message, such as an NAS Security Mode Command (SMC)message, to the UE, so that the currently saved NAS downlink COUNT valueis added by 1, and the NAS downlink COUNT value after the NAS message issent is used as the new NAS downlink COUNT value.

Step 204: The source MME derives the key of the UE in a target UTRANaccording to a KDF, a root key, and the new NAS downlink COUNT value.

The key derived by the source MME CK′ ∥ IK′=KDF(Kasme, S), where S=FC ∥new AS downlink COUNT value ∥ length of new AS downlink COUNT value.

Step 205: The source MME sends a Relocation Request message to a targetRNC through the target SGSN, in which the Relocation Request messageincludes the key of the UE in the target UTRAN calculated in step 204.

Step 206: The target RNC sends a Forward Relocation Response message tothe source MME through the target SGSN, in which the Forward RelocationResponse message carries an algorithm ID selected by the target RNCaccording to a security capability of the UE.

Step 207: The source MME sends the new NAS downlink COUNT value to theUE through a Handover Command message, in which only four leastsignificant bits of the new NAS downlink COUNT value may be sent to theUE.

It can be understood that the MME may send the Handover Command messageto the BS, in which the Handover Command message may include the new NASdownlink COUNT value, and may also include information such as analgorithm ID; and the BS then sends the new NAS downlink COUNT value tothe UE through an HO from EUTRAN command message.

Step 208: The UE receives the Handover Command message, derives the keyaccording to the KDF, the root key, and the new NAS downlink COUNT valueby using the method in the above step 204, therefore achieving thesynchronization of the key between the UE and the target network, andsends an HO Complete message to the target RNC to complete the networkhandover.

In other instances, in the first handover process of the UE, the sourceMME may save the key after the key derivation, and when receiving aForward Relocation Complete message sent by the target SGSN, the sourceMME may delete the saved key. Therefore, before performing step 203, thesource MME determines whether the key of the UE in the target UTRAN iscurrently saved; if yes, further determines whether the NAS downlinkCOUNT value corresponding to the currently saved key of the UE in thetarget UTRAN is consistent with the current NAS downlink COUNT value;and if consistent, performs step 203 to obtain the new NAS downlinkCOUNT value. When the source MME determines that the key of the UE inthe target UTRAN is not currently saved, the MME may perform step 203 toobtain the new NAS downlink COUNT value; and if the above consistencydetermination result is inconsistent, the MME performs the derivationaccording to the current derivation method.

It can be understood that in the second handover of the UE after thefirst handover of the UE fails and before the source MME receives theHandover Required message again, an NAS process may be performed, andthe NAS downlink COUNT value changes, so that when the abovedetermination result is inconsistent, the source MME may use the currentNAS downlink COUNT value to derive the key, and the key derived in thismanner is different from the key derived in the first handover; if thedetermination result is positive, the key derivation is performed afterthe new NAS downlink COUNT value is obtained.

In an embodiment of the present invention, two state machines are set inthe source MME, respectively for the key derivation incapable of usingthe saved NAS downlink COUNT value and the key derivation capable ofusing the saved NAS downlink COUNT value, and are respectively indicatedby State 0 and State 1. When the source MME receives the HandoverRequired message, State 0 is set; and when the MME goes through acertain internal process and satisfies a preset condition, State 1 isset, that is, the key derivation can be performed, in which the presetcondition includes: the MME receives a Forward Relocation Completemessage, the current NAS downlink COUNT value is added by a certainvalue, and the MME delivers an NAS message. For example, after the MMEreceives the Handover Required message and delivers the NAS message, thekey derivation can be performed.

In the embodiment of the present invention, in the handover process ofthe UE from the EUTRAN to the UTRAN, after the first handover fails, thekey derivation method in the second network handover is that, afterreceiving the Handover Required message, the source MME obtains the newNAS downlink COUNT value different from the current NAS downlink COUNTvalue, and derives the key of the UE in the target UTRAN according tothe KDF, the root key, and the new NAS downlink COUNT value. In thismanner, the key derived in the second handover process is surelydifferent from the key derived in the first handover process, thereforeavoiding the situation in the prior art and enhancing the networksecurity.

Method Embodiment 3

A key derivation method is provided. An application scenario of thisembodiment is that in the handover process of a UE from an EUTRAN to aUTRAN, after a first handover of the UE fails, the UE returns to theoriginal EUTRAN and selects an SGSN for a second handover. A flowchartof the method is shown in FIG. 4, which includes the following steps:

Step 301: The UE sends an RRC Connection Reestablishment Request messageto a BS where the UE currently locates, namely a current BS, to performan RRC connection reestablishment process.

It can be understood that after the first handover fails, the UE mayreturn to a different cell under a source BS, or return to the same cellunder the source BS, or return to a BS different from the source BS.

Step 302: After the RRC connection is reestablished, the current BSsends an RRC Connection Reestablishment Complete message to an MMEassociated with the current BS, namely a current MME.

It can be understood that the RRC Connection Reestablishment Completemessage may be an HO Notify message, or may be a Path Switch message.Specifically, if the UE returns to the different cell under the sourceBS, the current BS, namely the source BS, may send the HO Notify messageto the current MME to indicate that the connection reestablishment iscompleted; if the UE returns to the BS different from the source BS, thecurrent BS may send the Path Switch message to the current MME.

Step 303: The current MME receives the RRC Connection ReestablishmentComplete message sent by the current BS, and obtains a new NAS downlinkCOUNT value, in which the new NAS downlink COUNT value is different froma current NAS downlink COUNT value.

The obtaining method is the same as that described in step 203 of MethodEmbodiment 2, and the details are not described herein again.

Step 304: The current BS determines to perform the second handover andsends a Handover Required message to the current MME.

Step 305: After receiving the Handover Required message, the current MMEderives the key of the UE in the target UTRAN according to a KDF, a rootkey, and the new NAS downlink COUNT value obtained in step 303, andsends the derived key to a target RNC.

After the key is sent to the target RNC, the network handover method isthe same as the method of Method Embodiment 2 after step 205, and thedetails are not described herein again. In addition, step 303 and step304 in this embodiment may be performed at the same time, but preferablyperformed in sequence, and therefore, the network handover process maynot be affected, which saves the network handover time.

The key derivation method in the embodiment of the present invention isthat, during the handover of the UE from the EUTRAN to the UTRAN, afterthe first handover fails and before the second handover of the UE, theMME obtains the new NAS downlink COUNT value different from the currentNAS downlink COUNT value, so that after the MME receives the HandoverRequired message, the derived and calculated key of the UE in the targetUTRAN is surely different from the key derived in the first handoverprocess, therefore avoiding the situation in the prior art and enhancingthe network security.

In addition, because the obtaining of the new NAS downlink COUNT valueis performed before the second handover, the network handover may not beaffected, and compared with Method Embodiment 1, the network handovertime is reduced.

Method Embodiment 4

A key derivation method is provided. An application scenario of thisembodiment is that in the handover process of a UE from an EUTRAN to aUTRAN, after a first handover of the UE fails, the UE returns to theoriginal EUTRAN for a second handover. A flowchart of the method isshown in FIG. 5, which includes the following steps:

Step 401: The UE sends an RRC Connection Reestablishment Request messageto a BS where the UE currently locates, namely a current BS, in whichthe RRC Connection Reestablishment Request message may include a 2-bitspare to carry a fresh value of the UE, namely a random value.

Step 402: After receiving the RRC Connection Reestablishment Requestmessage, the current BS determines to perform the second handover of theUE, and sends, through a Handover Required message, the fresh value ofthe UE to the MME associated with the current BS, namely the currentMME, to derive the key of the UE in the target UTRAN.

Step 403: After receiving the Handover Required message, the current MMEuses the fresh value of the UE included in the Handover Required messageand a root key as input parameters of a KDF to derive the key of the UEin the target UTRAN.

When deriving the key, the current MME may use the fresh value of the UEand the root key as the input parameters of the KDF to derive the key ofthe UE in the target UTRAN; and in this case, the key CK′ ∥IK′=KDF(Kasme, S), where S=FC ∥ fresh value of UE ∥ length of freshvalue of UE.

Step 404: The current MME sends a Relocation Request message to a targetRNC through a target SGSN, in which the Relocation Request messageincludes the key of the UE in the target UTRAN calculated in step 403.

Step 405: The target RNC sends a Forward Relocation Response message tothe current MME through the target SGSN, in which the Forward RelocationResponse message carries an algorithm ID selected by the target RNCaccording to a security capability of the UE.

Step 406: The current MME sends a Handover Command message to the BS, inwhich the Handover Command message may include the current NAS downlinkCOUNT value, and may further include information such as an algorithmID; and then the BS sends the Handover Command message to the UE, inwhich the Handover Command message may include the current NAS downlinkCOUNT value.

Step 407: The UE receives the Handover Command message, and derives thekey according to the fresh value of the UE through the method in theabove step 403, therefore achieving the synchronization of the keybetween the UE and the target network.

In another specific embodiment, in step 403, the MME may use the freshvalue of the UE, the current NAS downlink COUNT value, and the root keyas the input parameters of the KDF to derive the key of the UE in thetarget UTRAN. In this case, the key CK′ ∥ IK′=KDF(Kasme, S), where S=FC∥ P0 ∥ L0 ∥ fresh value of UE ∥ length of fresh value of UE, so that theHandover Command message sent to the UE in step 406 must include thecurrent NAS downlink COUNT value, and may include the four leastsignificant bits; and in step 407, the UE may derive the key accordingto the fresh value of the UE and the current NAS downlink COUNT value byusing the method in step 403.

It can be understood that the subsequent process is similar to what isdescribed above, and the details are not described herein again.

In other specific embodiments, in the first handover process of the UE,the source

MME may save the key after the key derivation, and when receiving aForward Relocation Complete message sent by the target SGSN, the sourceMME may delete the saved key. Therefore, after receiving the HandoverRequired message, the current MME determines whether the key of the UEin the target UTRAN is currently saved; if yes, further determineswhether the NAS downlink COUNT value corresponding to the currentlysaved key of the UE in the target UTRAN is consistent with the currentNAS downlink COUNT value; and if consistent, the key derivation isperformed according to the method of this embodiment. Definitely, whenthe MME determines that the key of the UE in the target UTRAN is notcurrently saved, the derivation is performed according to the method ofthis embodiment; and if the above consistency determination result isinconsistent, the derivation is performed according to the derivationmethod in the prior art.

It can be understood that in the second handover of the UE after thefirst handover of the UE fails, before the MME receives the HandoverRequired message again, an NAS process may be performed, and the NASdownlink COUNT value changes, so that when the above determinationresult is inconsistent, the MME may use the current NAS downlink COUNTvalue to derive the key, and the key derived in this manner is differentfrom the key derived in the first handover; if the determination resultis positive, the key derivation is performed according to the method ofthis embodiment.

The key derivation method in the embodiment of the present invention isthat, in the handover process of the UE from the EUTRAN to the UTRAN,when the UE performs the second handover after the first handover fails,the UE calculates a fresh value, and sends the fresh value to thecurrent MME through the current BS; after receiving the HandoverRequired message, the current MME derives the key of the UE in thetarget UTRAN according to the fresh value of the UE, the KDF, the rootkey, and the current NAS downlink COUNT value included in the HandoverRequired message. In this manner, the key derived in the second handoverprocess is different from the key derived in the first handover process,therefore avoiding the situation in the prior art and enhancing thenetwork security.

Method Embodiment 5

A key derivation method is provided. An application scenario of thisembodiment is that in the handover process of a UE from an EUTRAN to aUTRAN, a BS in the original EUTRAN of the UE, namely a source BS,initiates a network handover. A flow chart of the method is shown inFIG. 6, which includes the following steps.

Step 501: The source BS sends a Handover Required message to a sourceMME.

Step 502: The source MME derives CK′∥ IK′ according to a KDF, a root keyKasme, and an NAS downlink COUNT value in a current security context.

Step 503: The source MME sends a Relocation Request message to a targetRNC through a target SGSN, in which the Relocation Request messageincludes CK′ ∥ IK′, KSI, and information such as a security capabilityof the UTRAN/GERAN of the UE.

Step 504: The target RNC sends a Forward Relocation Response message tothe source MME through the target SGSN, in which the Forward RelocationResponse message carries an algorithm ID of the security capability ofthe UE.

Step 505: The source MME completes a handover preparation process, andsends a

Handover Command message to the UE through the source BS, in which theHandover Command message carries the current NAS downlink COUNT valueand the algorithm ID of the security capability.

Step 506: The source MME changes the current NAS downlink COUNT value,for example, adding a certain value to the current NAS downlink COUNTvalue, such as adding 1, and saves the changed NAS downlink COUNT value;the changed NAS downlink COUNT value is used to derive the key of the UEin the target UTRAN.

Step 507: After receiving the Handover Command message, the UE derivesand calculates the key CK′ ∥ IK′ according to the KDF and the NASdownlink COUNT value that is included in the Handover Command message,so that the key of the UE and the target network is synchronized, and anHO Complete message is sent to the target RNC.

It can be understood that in the first handover process in thisembodiment, after the source MME sends the Handover Command message, theNAS downlink COUNT value is changed, so that after the first handover ofthe UE fails, the NAS downlink COUNT value saved in step 506 and used bythe MME for the key derivation in the second handover is surelydifferent from the NAS downlink COUNT value used in the first handover,and therefore the keys derived and calculated in the two handovers aredifferent, which achieves the purpose of enhancing the network security.

Device Embodiment 1

A physical device, i.e. a network entity called Mobility ManagementEntity (MME) is provided. A block diagram of the MME is shown in FIG. 7,which includes a generating unit 10, a deriving unit 11, and a sendingunit 12.

The generating unit 10 is configured to generate a random value.

The deriving unit 11 is configured to use a root key and the randomvalue that is generated by the generating unit 10 as input parameters ofa KDF to derive a key of a UE in a target UTRAN.

The sending unit 12 is configured to send the random value generated bythe generating unit 10 to the UE, so that the UE derives the key in thetarget UTRAN according to the random value.

The deriving unit 11 is further configured to use a current NAS downlinkCOUNT value, the root key, and the random value generated by thegenerating unit 10 as the input parameters of the KDF to derive the keyof the UE in the target UTRAN; and the sending unit 12 is configured tosend the current NAS downlink COUNT value and the random value generatedby the generating unit 10 to the UE, so that the UE derives the key inthe target UTRAN according to the random value and the current NASdownlink COUNT value.

In this embodiment, the generating unit 10 of the MME generates a randomvalue, and the deriving unit 11 derives the key according to the randomvalue, so that in the handover process of the UE from the EUTRAN to theUTRAN, after the first handover fails, the key derived by the MME in thesecond handover process is surely different from the key derived in thefirst handover process, therefore avoiding the situation in the priorart and enhancing the network security.

Device Embodiment 2

A UE is provided. A block diagram of the UE is shown in FIG. 8, whichincludes a message receiving unit 20 and a key deriving unit 21.

The message receiving unit 20 is configured to receive a HandoverCommand message.

The key deriving unit 21 is configured to use a random value and a rootkey as input parameters of a KDF to derive the key of the UE in a targetUTRAN if the Handover Command message received by the message receivingunit 20 includes the random value; and configured to use the randomvalue, a current NAS downlink COUNT value, and the root key as the inputparameters of the KDF to derive the key of the UE in the target UTRAN ifthe Handover Command message received by the message receiving unit 20includes the random value and the current NAS downlink COUNT value.

Device Embodiment 3

An MME is provided. A block diagram of the MME is shown in FIG. 9, whichincludes a count value obtaining unit 31, a second deriving unit 32, anda handover sending unit 33.

The count value obtaining unit 31 is configured to obtain a new NASdownlink COUNT value.

When the new NAS downlink COUNT value is obtained, an NAS message may besent to a UE, such as an NAS SMC message, so that the currently savedNAS downlink COUNT value may be added by 1, and the NAS downlink COUNTvalue after the NAS message is sent may be used as the new NAS downlinkCOUNT value. A certain value, such as 1, may be added to the current NASdownlink COUNT value.

The second deriving unit 32 is configured to derive a key of the UE in atarget UTRAN according to a KDF, a root key, and the new NAS downlinkCOUNT value that is obtained by the count value obtaining unit 31.

The handover sending unit 33 is configured to send the new NAS downlinkCOUNT value obtained by the count value obtaining unit 31 to the UEthrough a BS where the

UE currently locates, so that the UE derives the key in the targetUTRAN.

It can be understood that in other specific embodiments, the MME mayfurther include: a determination unit 34, configured to determinewhether the key of the UE in the target UTRAN is currently saved; and ifyes, further determine whether the NAS downlink COUNT valuecorresponding to the currently saved key of the UE in the target UTRANis consistent with the current NAS downlink COUNT value.

When the determination result of the determination unit 34 is that theNAS downlink COUNT value corresponding to the currently saved key of theUE in the target UTRAN is consistent with the current NAS downlink COUNTvalue, the count value obtaining unit 31 obtains the new NAS downlinkCOUNT value.

The count value obtaining unit 31 in the MME according to the embodimentof the present invention obtains the new NAS downlink COUNT valuedifferent from the current NAS downlink COUNT value; and finally thesecond deriving unit 32 derives the key of the UE in the target UTRANaccording to the KDF, the root key, and the new NAS downlink COUNTvalue, and the handover sending unit 33 sends the new NAS downlink COUNTvalue to the UE. In this manner, in the handover process of the UE fromthe EUTRAN to the UTRAN, after the first handover fails, the key derivedby the MME in the second handover process is surely different from thekey derived in the first handover process, therefore avoiding thesituation in the prior art and enhancing the network security.

In addition, it can be understood that after the first handover of theUE fails, during the second handover of the UE, before the MME receivesthe Handover Required message again, an NAS process may be performed,and the NAS downlink COUNT value therefore changes. The MME furtherincludes the determination unit 34 for consistency determination. If theconsistency determination result is inconsistent, the current NASdownlink COUNT value may be used to derive the key; if the consistencydetermination result is positive, the key is derived after the countvalue obtaining unit 31 obtains the new NAS downlink COUNT value.Therefore, the obtaining of the new NAS downlink COUNT value is reducedwhen the consistency determination result is inconsistent, therebysaving the load of the MME.

Device Embodiment 4

A UE is provided. A block diagram of the UE is shown in FIG. 10, whichincludes a second message receiving unit 40 and a second key derivingunit 41.

The second message receiving unit 40 is configured to receive a HandoverCommand message, in which the Handover Command message includes a newNAS downlink COUNT value.

The second key deriving unit 41 is configured to derive a key of the UEin a target UTRAN according to a KDF, a root key, and the new NASdownlink COUNT value in the Handover Command message received by thesecond message receiving unit 40.

Device Embodiment 5

An MME is provided. A block diagram of the MME is shown in FIG. 11,which includes a handover receiving unit 50 and a third deriving unit51.

The handover receiving unit 50 is configured to receive a HandoverRequired message, in which the Handover Required message includes afresh value of a UE.

The third deriving unit 51 is configured to use a root key and the freshvalue of the UE in the Handover Required message received by thehandover receiving unit 50 as input parameters of a KDF to derive thekey of the UE in a target UTRAN, or use a current NAS downlink COUNTvalue, the root key, and the fresh value of the UE in the HandoverRequired message received by the handover receiving unit 50 as the inputparameters of the KDF to derive the key of the UE in the target UTRAN.

In this embodiment, after the handover receiving unit 50 of the MMEreceives the

Handover Required message, the third deriving unit 51 derives the keyaccording to the fresh value of the UE included in the Handover Requiredmessage, so that in the handover process of the UE from the EUTRAN tothe UTRAN, after the first handover fails, the key derived by the MME inthe second handover process is surely different from the key derived inthe first handover process, therefore avoiding the situation in theprior art and enhancing the network security.

Device Embodiment 6

A BS is provided. A block diagram of the BS is shown in FIG. 12, whichincludes a reestablishment receiving unit 60 and a sending and derivingunit 61.

The reestablishment receiving unit 60 is configured to receive an RRCConnection Reestablishment Request message, in which the RRC ConnectionReestablishment Request message includes a fresh value of a UE.

The sending and deriving unit 61 is configured to send the fresh valueof the UE included in the RRC Connection Reestablishment Request messagereceived by the reestablishment receiving unit 60 to an MME through aHandover Required message when a second handover of the UE isdetermined, so as to facilitate the MME to derive the key of the UE inthe target UTRAN.

Device Embodiment 7

A UE is provided. A block diagram of the UE is shown in FIG. 13, whichincludes a reestablishment sending unit 71 and a third key deriving unit72.

The reestablishment sending unit 71 is configured to send an RRCConnection

Reestablishment Request message, in which RRC Connection ReestablishmentRequest message includes a fresh value of a UE.

The third key deriving unit 72 is configured to use the fresh value ofthe UE and a root key as input parameters of a KDF to derive the key ofthe UE in a target UTRAN when receiving a Handover Command message, andto use the fresh value of the UE, a current NAS downlink COUNT value,and the root key as the input parameters of the KDF to derive the key ofthe UE in the target UTRAN if the Handover Command message includes thecurrent NAS downlink COUNT value.

Device Embodiment 8

An MME is provided. A block diagram of the MME is shown in FIG. 14,which includes a message receiving unit 81 and a count value changingunit 82.

The message receiving unit 81 is configured to receive a ForwardRelocation Response message sent by a target SGSN.

The count value changing unit 82 is configured to change a current NASdownlink COUNT value and save the changed NAS downlink COUNT value aftersending a Handover

Command message to a UE, in which the changed NAS downlink COUNT valueis used to derive a key of the UE in a target UTRAN.

It can be understood that: After the message receiving unit 81 in theMME receives the Forward Relocation Response message sent by the SGSN inthe target network, which indicates that the target network hasperformed relocation for the UE, the handover can be performed. In thiscase, after the count value changing unit 82 sends the Handover Commandmessage, the current NAS downlink COUNT value is changed.

Therefore, after the first handover of the UE fails, during a secondhandover, the MME uses the NAS downlink COUNT value saved in the MME forderiving the key, which guarantees that the NAS downlink COUNT value isdifferent from the NAS downlink COUNT value used in the first handover,so that the keys derived and calculated in the two handovers aredifferent. Therefore, the purpose of enhancing the network security isachieved.

System Embodiment

A communication system is provided, which includes an MME. The MME issimilar to any one of the MMEs in Device Embodiments 1, 3, 5 and 8, andthe key derivation method according to the above embodiments may beperformed.

It can be understood that the communication system further includesother devices such as a UE and a BS, and the network security can beenhanced through the communication between the UE and the BS.

The key derivation method, device, and system according to theembodiments of the present invention are applicable to the handoverprocess of the UE from the EUTRAN to the

UTRAN. From the failure of the first handover to the second handover, itis guaranteed that the key derived on the source MME in the firsthandover process of the UE is different from the key derived on the MMEin the second handover process of the UE by changing the inputparameters used in the key derivation by the MME, such as generating therandom value, changing the current NAS downlink COUNT value, andobtaining the fresh value of the UE, so as to prevent the situation inthe prior art that once the key used on one RNC is obtained, the keys onother RNCs can be derived accordingly, thereby enhancing the networksecurity.

Persons skilled in the art should understand that all or a part of thesteps of the method according to the embodiments of the presentinvention may be implemented by a program instructing relevant hardware.The program may be stored in a computer readable storage medium, such asa Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk,or an optical disk.

The method, device, and system for deriving keys are described in detailabove. The principle and implementation of the present invention aredescribed herein through specific examples. The description about theembodiments of the present invention is merely provided for ease ofunderstanding of the method and core ideas of the present invention.Persons skilled in the art can make variations and modifications to thepresent invention in terms of the specific implementations andapplication scopes according to the ideas of the present invention.Therefore, the specification shall not be construed as a limit to thepresent invention.

1. A method for deriving a key for use by a user equipment (UE) in atarget radio access network when the UE is handed over from a sourceradio access network to the target radio access network, comprising:receiving, by a mobility management entity (MME) of the source radioaccess network, a “Handover Required” message from a base station (BS)of the source radio access network; obtaining, by the MME, a Non-AccessStratum (NAS) downlink COUNT value; deriving, by the MME, a key for useby the UE in the target radio access network according to a KeyDerivation Function (KDF), a root key, and the NAS downlink COUNT value;and sending, by the MME, at least a part of the NAS downlink COUNT valueto the UE.
 2. The method according to claim 1, wherein the NAS downlinkCOUNT value is a new NAS downlink COUNT value obtained based on acurrent NAS downlink COUNT value, and obtaining, by the MME, the new NASdownlink COUNT value comprises: adding, by the MME, a certain value tothe current NAS downlink COUNT value.
 3. The method according to claim2, wherein the certain value is
 1. 4. The method according to claim 1,wherein the obtaining, by the MME, the NAS downlink COUNT valuecomprises: sending, by the MME, an NAS message to the UE, and using anNAS downlink COUNT value after the NAS message is sent as the NASdownlink COUNT value.
 5. The method according to claim 1, wherein thesending, by the MME, at least a part of the NAS downlink COUNT value tothe UE comprises: sending, by the MME, four least significant bits ofthe NAS downlink COUNT value to the UE.
 6. The method according to claim1, wherein the source radio access network is an Evolved UniversalTerrestrial Radio Access Network (EUTRAN).
 7. The method according toclaim 1, wherein the target radio access network is a UniversalTerrestrial Radio Access Network (UTRAN).
 8. A method for derive a keyfor use by a user equipment (UE) in a target radio access network whenthe UE is handed over from a source radio access network to a targetradio access network, comprising: receiving, by the UE, a HandoverCommand message from a base station of the source radio access network;wherein the Handover Command message comprises at least a part of aNon-Access Stratum (NAS) downlink COUNT value obtained from a MobilityManagement Entity (MME) of the source radio access network; andderiving, by the UE, the key for use by the UE in the target radioaccess network according to a Key Derivation Function (KDF), a root key,and the at least a part of the NAS downlink COUNT value.
 9. The methodaccording to claim 8, wherein the NAS downlink COUNT value is a new NASdownlink COUNT value obtained based on a current NAS downlink COUNTvalue, and the new NAS downlink COUNT value is obtained by adding acertain value to the current NAS downlink COUNT value.
 10. The methodaccording to claim 9, wherein the certain value is
 1. 11. The methodaccording to claim 8, wherein the at least a part of the NAS downlinkCOUNT value comprises: four least significant bits of the NAS downlinkCOUNT value.
 12. The method according to claim 8, wherein the sourceradio access network is an Evolved Universal Terrestrial Radio AccessNetwork (EUTRAN).
 13. The method according to claim 8, wherein thetarget radio access network is a Universal Terrestrial Radio AccessNetwork (UTRAN).
 14. An apparatus for deriving a key for use by a userequipment (UE) in a target radio access network when the UE is handedover from a source radio access network to the target radio accessnetwork, comprising: a receiving unit, configured to receive a “HandoverRequired” message from a base station of the source radio accessnetwork; an obtaining unit, configured to obtain, a Non-Access Stratum(NAS) downlink COUNT value; a key deriving unit, configured to derive anew key for the UE to use in the target radio access network accordingto a Key Derivation Function (KDF), a root key, and the NAS downlinkCOUNT value; and a sending unit, configured to send at least a part ofthe NAS downlink COUNT value to the UE.
 15. The apparatus according toclaim 14, wherein the NAS downlink COUNT value is a new NAS downlinkCOUNT value obtained based on a current NAS downlink COUNT value, andthe obtaining unit is configured to obtain the new NAS downlink COUNTvalue by adding a certain value to the current NAS downlink COUNT value.16. The apparatus according to claim 15, wherein the certain value is 1.17. The apparatus according to claim 14, wherein the sending unit isconfigured to send four least significant bits of the NAS downlink COUNTvalue to the UE.
 18. The apparatus according to claim 14, wherein thesource radio access network is an Evolved Universal Terrestrial RadioAccess Network (EUTRAN).
 19. The apparatus according to claim 14,wherein the target radio access network is a Universal Terrestrial RadioAccess Network (UTRAN).
 20. The apparatus according to claim 14, wherethe apparatus is a Mobility Management Entity of the source radio accessnetwork.
 21. A user equipment (UE), comprising: a receiving unit,configured to receive a Handover Command message from a base station ofa source radio access network where the UE is located; wherein theHandover Command message comprises at least a part of a Non-AccessStratum (NAS) downlink COUNT value obtained from a Mobility ManagementEntity (MME) of the source radio access network; and a key derivingunit, configured to derive a key for use by the UE in a target radioaccess network which the UE is handed over to according to a KeyDerivation Function (KDF), a root key, and the at least a part of theNAS downlink COUNT value.
 22. The UE according to claim 21, wherein theNAS downlink COUNT value is a new NAS downlink COUNT value obtainedbased on a current NAS downlink COUNT value, and the new NAS downlinkCOUNT value is obtained by adding a certain value to the current NASdownlink COUNT value.
 23. The UE according to claim 22, wherein thecertain value is
 1. 24. The UE according to claim 21, wherein the partof the NAS downlink COUNT value comprises four least significant bits ofthe NAS downlink COUNT value.
 25. The UE according to claim 21, whereinthe source radio access network is an Evolved Universal TerrestrialRadio Access Network (EUTRAN).
 26. The UE according to claim 21, whereinthe target radio access network is a Universal Terrestrial Radio AccessNetwork (UTRAN).